Tunnel Creation

After a tunnel is created, Network Connect or Pulse client creates a persistent SSL connection (called the control channel on port 443) to the Pulse Connect Secure device. The control channel is used to pass a tunnel setup request and receive the response for the tunnel configuration to/from the Pulse Secure Connect device. If ESP is configured, ESP-specific cipher details are added to the response and sent to the client. When the client receives the response, it will attempt to create a tunnel via ESP mode and send a request to the Pulse Connect Secure device.

ESP keep alive with idle timeout behavior

During tunnel setup

After an ESP tunnel has been created, it will send keep-alive packets to the Pulse Connect Secure device to confirm that the device is accessible through ESP mode. If an ESP response is received, the Pulse or Network Connect client continues operating on the assumption that the ESP tunnel was successfully created. If the ESP tunnel is not successfully created, the client will send a keep-alive packet every one (1) second until the "ESP to SSL fallback time" is exceeded (by default, it is 15 seconds). When this time is exceeded, the Pulse or Network Connect client will fail back to SSL mode.

After the ESP tunnel is functioning

After an ESP tunnel has been successfully created, an idle timeout of one (1) minute is set. When the client receives a data packet or a keep-alive response, this timer is reset back to one (1) minute.

If the one (1) minute idle timer is exceeded, the Pulse or Network Connect client will send a keep-alive packet every one (1) second until either of the following occurs:

The idle timeout (60 seconds) + ESP to SSL fallback time (by default, 15 seconds) is the amount of time it takes the client to switch from ESP to SSL mode. In this example, it would take 75 seconds before the client would fail over to SSL mode.

ESP rekey

By default, key lifetime (under Users > ResourcePolicies > VPNTunneling > ConnectionProfiles) is set to 20 minutes. When a ESP tunnel is created, a unique ESP SPI id is created by the Pulse Connect Secure device and will be valid for 20 minutes. At 12 minute mark (3/5 of the key lifetime), the client will attempt to rekey the ESP SPI id and get a new ESP SPI id. If the rekey is successful, a new SPI id is generated and the 20 minute counter resets. If the rekey is unsuccessful, the client will wait 60 seconds and attempt the rekey again. If the client exceeds the key lifetime without a rekey, the ESP tunnel will fallback to SSL mode.

ESP packet flow

When an L3 tunnel is created, a virtual adapter interface is created. This interface obtains an NC IP address from the Pulse Connect Secure device. In the example below, split tunneling is disabled (all packets are routed through the virtual adapter). If split tunneling is enabled. the virtual adapter will only capture packets destined for routes configured in the split tunneling policy; all other packets are routed through the client's physical adapter.

An ICMP request packet is formed with the Source IP (NC IP address) and the Destination IP (Backend server IP).

This packet is captured by the virtual adapter interface, and the Network Connect or Pulse application encrypts this packet via ESP with the Source IP (Client's Physical IP address) and the Destination IP (SA External IP or Public IP address of SA device).